Oracle has denied allegations of a security breach after a threat actor claimed to be selling six million data records allegedly stolen from Oracle Cloud’s federated SSO login servers.

The company stated that no Oracle Cloud customers were affected and that the published credentials were not related to its cloud services.

The hacker, known as rose87168, released text files containing a sample database, LDAP information, and a list of companies they claimed were affected. They also shared an Internet Archive link as supposed proof, showing that they uploaded a .txt file with their ProtonMail email address to Oracle’s login.us2.oraclecloud.com server.


The hacker is now selling the allegedly stolen data on the BreachForums hacking site, offering it for an undisclosed price or in exchange for zero-day exploits. They claim the data includes encrypted SSO passwords, Java Keystore (JKS) files, key files, and Enterprise Manager JPS keys. According to them, the SSO passwords are encrypted but can be decrypted with the available files, while LDAP hashed passwords could potentially be cracked. The threat actor has also offered to remove specific company data from the leak for a price.

They allege they gained access to Oracle Cloud servers 40 days ago and attempted to extort Oracle for 100,000 XMR (Monero cryptocurrency) in exchange for details on the breach. However, Oracle reportedly refused to pay after requesting a full disclosure of the vulnerability.

The hacker claims the breach was possible due to a vulnerable version of Oracle Cloud software with a known CVE flaw, though no public proof-of-concept exploit has been shared. BleepingComputer is currently reaching out to companies whose data was allegedly stolen to verify the claims, with updates expected as more information emerges.

READ
Researcher Develops Free Decryptor for Akira Ransomware on Linux